802.11 header mismatch - pcap

Question

I'm capturing wirless frames the first structure i'm using is

struct mgmt_header_t {
    u_int16_t   fc;
    u_int16_t   duration;
    u_int8_t    da[6];
    u_int8_t    sa[6];
    u_int8_t    bssid[6];
    u_int16_t   seq_ctrl;
};

but this header mismatch , because my captured packet start with destination address followed by source address ?! I think i'm on 802.11g is there a difference ? the above structure following tcpdump and ieee802.11-2007 standard

-- UPDATE -- After taking a look at wireshark it says [Protocols in frame : eth:ip:tcp:http ] and testing these structures in this order worked but I'm still looking for analyzing 802.11 frame

score 0 · Answer 1 · answered Nov 24 '12 at 20:24

"Protocols in frame : eth:ip:tcp:http" means that the packets have Ethernet headers, not 802.11 headers. On most OSes, capturing on an 802.11 interface will, by default, give you Ethernet headers; you would have to explicitly select 802.11 headers when capturing, either by selecting monitor mode (the only way to get 802.11 headers on OSes other than the BSDs is by capturing in monitor mode) or by selecting 802.11 headers (which you can do on the BSDs when not capturing in monitor mode). On Windows, WinPcap doesn't currently support capturing in monitor mode at all.

802.11 header mismatch - pcap

1 Answers1